If You Need to Publish Your WCF Service Metadata, Publish it Over HTTPS Protocol

Publish your service metadata over HTTPS to protect clients from being spoofed when adding a service reference. Clients cannot be certain they have added a reference to the right service if you expose your service metadata over HTTP. The service may have been
spoofed through DNS poisoning or a man in the middle attack.

To publish your service metadata over HTTPS use the mexHttpsBinding and configure a server certificate for the service.